In this tutorial, you will learn how to secure smart home devices by setting up an EJBCA PKI compatible with the Matter IoT standard and issuing Device Attestation Certificates (DACs).

This tutorial focuses on basic configuration of certificate authorities (CAs) and end entities in EJBCA for understanding the concepts and testing the Matter IoT standard. For a production PKI compliant with the Matter Certificate Policy, other aspects are required such as using a Hardware Security Module (HSM) for the PAA and PAI signing keys.

A Matter IoT PKI consists of three levels:
- Root CA - Product Attestation Authority (PAA): Root CA that signs the certificates of the Product Attestation Intermediate (PAI).
- Sub CA - Product Attestation Intermediate (PAI): Sub CA that issues Device Attestation Certificates (DACs).
- End Entity - Device Attestation Certificate (DAC): Matter standardized certificates issued for the IoT devices.

📚 *The tutorial covers these steps:*
2:19 Start EJBCA Docker container
4:15 Create and configure Product Attestation Authority (PAA) as a stand-alone Root CA
9:59 Prepare PAI by creating Sub CA profiles to issue PAI certificates and a Sub CA end entity on the PAA
14:04 Create and configure Product Attestation Intermediate (PAI) and a CSR
20:17 Create and configure Device Attestation Certificate (DAC) profile, end entity profile, and end entity for DACs
23:59 Issue Device Attestation Certificate, enroll it and view its content.

💡 The Matter standard and certificate policy may be updated, so always verify any profiles created with the latest version of Matter specifications and policies. See [ Ссылка ] and [ Ссылка ].

*Prerequisites*
Before you begin you will need:
- A running Docker instance. See [ Ссылка ].
- OpenSSL for generating a key pair and a CSR. See [ Ссылка ].

*Download*
- EJBCA on Docker Hub: [ Ссылка ]

*Documentation*
- Full tutorial: [ Ссылка ]
- About Matter: [ Ссылка ]
- For more details on EJBCA setup, see [ Ссылка ].


ℹ️ *About the Keyfactor Community*
As a pioneer in open-source cryptography, PKI, and signing, Keyfactor offers Bouncy Castle cryptographic APIs, the open-source certificate authority software EJBCA Community, and the open-source signing software SignServer Community. Join the Keyfactor Community, a hub for engineers, developers, and security experts seeking relevant solutions for cryptography, certificates, PKI, and signing while prototyping or testing their products and applications. The Keyfactor Community is a part of Keyfactor. Read more on [ Ссылка ].

🔗 *For more information:*
- Visit the website: [ Ссылка ]
- Sign up for our newsletter: [ Ссылка ]
- Follow us on X (Twitter): [ Ссылка ]

свернуть